Encryption Key Sharing Obligations in EUROPE

18 Jun 2026 --
0 Comments

1. Meaning of Encryption Key Sharing Obligations

Encryption key sharing obligation means a legal requirement imposed on an individual, company, internet service provider, or technology platform to provide:

an encryption key;
password/passphrase;
decryption capability;
technical assistance to decrypt encrypted information;
access mechanisms that allow authorities to read encrypted communications.

The legal debate in Europe mainly concerns the conflict between:

Law enforcement interests
- investigation of terrorism;
- cybercrime;
- child exploitation offences;
- organised crime;
- national security.
Fundamental rights
- privacy;
- confidentiality of communications;
- protection against self-incrimination;
- freedom of expression;
- data protection.

The European legal framework is influenced by:

Article 8 of the European Convention on Human Rights (right to private life and correspondence);
Article 7 and Article 8 of the Charter of Fundamental Rights of the European Union;
national criminal procedure laws.

2. General Legal Position in Europe

Europe does not have one single encryption key disclosure law. Rules differ between countries.

Generally:

A. Disclosure by suspects

Courts examine whether forcing a suspect to reveal a password or key violates:

the right against self-incrimination;
the right to silence.

Some courts distinguish between:

existing physical evidence (documents, files already existing);
a person's mental knowledge (password remembered only by the person).

B. Disclosure by companies

Governments have increasingly tried to require platforms to:

store communication data;
provide user information;
assist decryption.

However, European human-rights law has placed limits on mandatory encryption weakening.

3. Main European Case Laws

Case 1: R v S and A

Court:

Court of Appeal of England and Wales

Issue:

Two suspects refused to provide encryption passwords for computers seized by police.

They argued:

revealing the key would indirectly incriminate them;
it violated the privilege against self-incrimination.

Decision:

The court rejected the argument.

It held:

an encryption key itself is not incriminating evidence;
the key is comparable to a key opening a locked container;
the contents existed independently from the suspect.

Therefore, disclosure could be compelled under the Regulation of Investigatory Powers Act 2000 framework.

Importance:

This is the leading European case supporting compulsory disclosure of encryption credentials by individuals.

Case 2: Podchasov v Russia

Court:

European Court of Human Rights

Facts:

Russian authorities required Telegram to provide information necessary to decrypt communications.

The government argued that access was needed for national security and criminal investigations.

Decision:

The Court held that forcing a provider to weaken encryption protections could violate Article 8 ECHR.

The Court emphasized:

encryption protects private communications;
weakening encryption for authorities can create risks for all users;
generalised access mechanisms are disproportionate.

Importance:

This is the strongest European authority against mandatory encryption backdoors.

Case 3: K.U. v Finland

Issue:

Disclosure of online user information.

Principle:

The Court recognised that states must balance:

investigation of crimes;
protection of private communications.

Relevance to encryption:

Although not directly about encryption keys, it established that online anonymity and communications privacy are protected interests under Article 8 ECHR.

Case 4: S and Marper v United Kingdom

Court:

European Court of Human Rights

Issue:

Retention of personal information by the state.

Decision:

The Court found excessive retention of personal data incompatible with privacy rights.

Encryption relevance:

It supports the broader principle that government access to personal information requires:

necessity;
proportionality;
safeguards.

This reasoning influences encryption and digital surveillance cases.

Case 5: Digital Rights Ireland Ltd v Minister for Communications

Court:

Court of Justice of the European Union

Issue:

Mandatory retention of telecommunications data.

Decision:

The CJEU invalidated EU-wide data retention rules because they interfered with:

privacy;
personal data protection.

Encryption relevance:

The judgment established that surveillance measures involving communications data must meet strict proportionality requirements.

Case 6: Tele2 Sverige AB v Post- och telestyrelsen

Court:

Court of Justice of the European Union

Issue:

General and indiscriminate retention of electronic communications data.

Decision:

The CJEU held that broad retention obligations could violate EU fundamental rights.

Encryption relevance:

A state cannot impose unlimited communication-access powers without strong safeguards.

4. Country Approaches

United Kingdom

The UK has one of Europe's strongest encryption disclosure regimes.

Under the Investigatory Powers Act 2016 and earlier RIPA provisions:

Authorities may issue notices requiring:

disclosure of keys;
removal of encryption protection;
technical assistance.

Failure can result in criminal penalties.

Netherlands

Dutch law allows authorities, in certain situations, to require assistance from persons who know how encrypted systems work.

However, protections exist regarding suspects and self-incrimination.

Germany

Germany generally focuses on:

targeted surveillance;
device searches;
lawful interception.

The constitutional principle of proportionality strongly limits broad encryption weakening.

France

French authorities can require assistance in accessing encrypted data under criminal investigation procedures.

Courts assess:

legality;
necessity;
proportionality.

5. Key Legal Principles Emerging from European Case Law

Principle 1: No General Encryption Backdoors

European human-rights law increasingly rejects:

"Create a weakness in encryption so authorities can access everyone's communications."

The concern is that a weakness created for governments can also be exploited by criminals.

Principle 2: Targeted Access Is More Acceptable

Courts are more likely to accept:

specific investigations;
judicial authorisation;
identified suspects;
limited access.

Principle 3: Proportionality Is Essential

Any encryption-access measure must answer:

Is there a legal basis?
Is it necessary?
Is it proportionate?
Are there safeguards against abuse?

6. Difference Between Key Disclosure and Encryption Weakening

Issue	Legal Treatment
Individual gives password to seized device	Sometimes allowed
Company provides existing stored data	Often allowed with legal process
Company creates universal decryption key	Highly problematic
Government demands encryption backdoor	Likely violates privacy principles
Targeted judicial access	More likely acceptable

7. Conclusion

European law has developed a balanced approach:

Individuals may sometimes be required to disclose encryption credentials, especially after lawful orders (as shown in R v S and A).
Governments generally cannot require universal weakening of encryption systems, especially after Podchasov v Russia.
The future European approach is likely to support:
- targeted investigations,
- judicial oversight,
- strong privacy protections,
- rejection of blanket encryption backdoors.